azclaude-copilot 0.4.30 → 0.4.32

package/.claude-plugin/marketplace.json

@@ -9,7 +9,7 @@
     {
       "name": "azclaude",
       "description": "AZCLAUDE is a complete AI coding environment for Claude Code. It installs 34 commands, 9 auto-invoked skills, 15 specialized agents, 4 hooks, and a persistent memory system — in one command.\n\nKey features:\n• Memory across sessions — goals.md + checkpoints injected automatically before every session\n• Self-improving loop — /reflect fixes stale CLAUDE.md rules, /reflexes learns from tool-use patterns, /evolve creates agents from git evidence\n• Autonomous copilot mode — /copilot runs a three-tier team (orchestrator → problem-architect → milestone-builder) across sessions until the product ships\n• Spec-driven workflow — /constitute writes project rules, /spec writes structured ACs, /analyze detects plan drift and ghost milestones, /blueprint traces every milestone to a spec\n• Security layer — 111-rule environment scan (/sentinel), pre-write secret blocking, pre-ship credential audit\n• Progressive levels 0–10 — start with CLAUDE.md, grow into multi-agent pipelines and self-evolving environments\n• Zero dependencies — no npm packages, no external APIs, no vector databases. Plain markdown files and Claude Code's native architecture.\n• Smart install — npx azclaude-copilot@latest auto-detects first install vs upgrade vs verify. Context-aware onboarding shows the right next command for your project state.\n\nExample use cases:\n• /setup — scan an existing project, detect stack + domain + scale, fill CLAUDE.md, generate project-specific skills and agents automatically\n• /copilot \"Build a compliance SaaS with trilingual support\" — walk away, come back to working code across multiple sessions\n• /sentinel — run a scored security audit (0–100, grade A–F) across hooks, permissions, MCP servers, agent configs, and secrets\n• /evolve — detect gaps in the environment, generate new skills and agents from git co-change evidence, report score delta (e.g. 42/100 → 68/100)\n• /constitute — write your project's constitution (non-negotiables, architectural commitments, definition of done) — gates all future AI actions\n• /analyze — cross-artifact consistency check: ghost milestones, spec vs. code drift, unplanned commits\n• /reflect — find stale, missing, or contradicting rules in CLAUDE.md and propose exact fixes\n• /debate \"REST vs GraphQL for this project\" — adversarial evidence-based decision with order-independent scoring, logged to decisions.md",
-      "version": "0.4.30",
+      "version": "0.4.32",
       "source": {
         "source": "github",
         "repo": "haytamAroui/AZ-CLAUDE-COPILOT",

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "azclaude",
-  "version": "0.4.30",
+  "version": "0.4.32",
   "description": "AZCLAUDE is a complete AI coding environment for Claude Code. It installs 34 commands, 9 auto-invoked skills, 15 specialized agents, 4 hooks, and a persistent memory system — in one command.\n\nKey features:\n• Memory across sessions — goals.md + checkpoints injected automatically before every session\n• Self-improving loop — /reflect fixes stale CLAUDE.md rules, /reflexes learns from tool-use patterns, /evolve creates agents from git evidence\n• Autonomous copilot mode — /copilot runs a three-tier team (orchestrator → problem-architect → milestone-builder) across sessions until the product ships\n• Spec-driven workflow — /constitute writes project rules, /spec writes structured ACs, /analyze detects plan drift and ghost milestones, /blueprint traces every milestone to a spec\n• Security layer — 111-rule environment scan (/sentinel), pre-write secret blocking, pre-ship credential audit\n• Progressive levels 0–10 — start with CLAUDE.md, grow into multi-agent pipelines and self-evolving environments\n• Zero dependencies — no npm packages, no external APIs, no vector databases. Plain markdown files and Claude Code's native architecture.\n• Smart install — npx azclaude-copilot@latest auto-detects first install vs upgrade vs verify. Context-aware onboarding shows the right next command for your project state.\n\nExample use cases:\n• /setup — scan an existing project, detect stack + domain + scale, fill CLAUDE.md, generate project-specific skills and agents automatically\n• /copilot \"Build a compliance SaaS with trilingual support\" — walk away, come back to working code across multiple sessions\n• /sentinel — run a scored security audit (0–100, grade A–F) across hooks, permissions, MCP servers, agent configs, and secrets\n• /evolve — detect gaps in the environment, generate new skills and agents from git co-change evidence, report score delta (e.g. 42/100 → 68/100)\n• /constitute — write your project's constitution (non-negotiables, architectural commitments, definition of done) — gates all future AI actions\n• /analyze — cross-artifact consistency check: ghost milestones, spec vs. code drift, unplanned commits\n• /reflect — find stale, missing, or contradicting rules in CLAUDE.md and propose exact fixes\n• /debate \"REST vs GraphQL for this project\" — adversarial evidence-based decision with order-independent scoring, logged to decisions.md",
   "author": {
     "name": "haytamAroui",

package/README.md

@@ -807,11 +807,11 @@ Run `/level-up` at any time to see your current level and build the next one.
 
 ## Verified
 
-1458 tests. Every template, command, capability, agent, hook, and CLI feature verified.
+1462 tests. Every template, command, capability, agent, hook, and CLI feature verified.
 
 ```bash
 bash tests/test-features.sh
-# Results: 1458 passed, 0 failed, 1458 total
+# Results: 1462 passed, 0 failed, 1462 total
 ```
 
 ---

package/bin/cli.js

@@ -1194,32 +1194,44 @@ if (hasPlan && hasPendingMilestones) {
 console.log('\n════════════════════════════════════════════════');
 console.log(`  AZCLAUDE v${currentVer} — ${isFirstInstall ? 'installed' : needsUpgrade ? 'upgraded' : 'up to date'}`);
 console.log('');
+
+// First-time users get a one-liner orientation
+if (isFirstInstall) {
+  console.log('  AI coding commands for Claude Code: /setup, /add, /fix,');
+  console.log('  /copilot, /ship and 29 more. Run them inside Claude Code.');
+  console.log('');
+}
+
 console.log('  Open Claude Code in this directory, then:');
 console.log('');
 
 if (onboardingPath === 'RESUME') {
-  console.log('  You have a plan with pending work:');
+  console.log('  A plan with pending work was found:');
   console.log('');
-  console.log('    /copilot          resume autonomous build');
   console.log('    /pulse            see current state first');
+  console.log('    /copilot          resume autonomous build');
   console.log('    /analyze plan     verify plan vs reality');
+  console.log('');
+  console.log('  Starting fresh instead?');
+  console.log('');
+  console.log('    /setup            (re)configure this project');
 } else if (onboardingPath === 'EXISTING') {
   console.log('  Existing project detected:');
   console.log('');
-  console.log('    /setup            scan + configure this project');
-  console.log('    /dream            define what to build next');
-  console.log('    /blueprint        plan the next feature');
-  console.log('    /copilot .        build autonomously');
+  console.log('    /setup            scan + configure this project  ← start here');
+  console.log('    /add [feature]    start building immediately');
+  console.log('    /dream            plan a full product first');
+  console.log('    /copilot          build autonomously');
 } else {
   console.log('  New project:');
   console.log('');
-  console.log('    /setup            configure this project');
+  console.log('    /setup            configure this project  ← start here');
   console.log('    /add [feature]    start building immediately');
   console.log('    /dream            plan a full product first');
 }
 
 console.log('');
 console.log('  ─────────────────────────────────────────────');
-console.log('  docs:    github.com/haytamAroui/AZ-CLAUDE-COPILOT');
-console.log('  upgrade: npx azclaude-copilot@latest');
+console.log('  all commands: /help  ·  docs: github.com/haytamAroui/AZ-CLAUDE-COPILOT');
+console.log('  upgrade:      npx azclaude-copilot@latest');
 console.log('════════════════════════════════════════════════\n');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "azclaude-copilot",
-  "version": "0.4.30",
+  "version": "0.4.32",
   "description": "AI coding environment — 34 commands, 9 skills, 15 agents, memory, reflexes, evolution. Install: npx azclaude-copilot@latest, then open Claude Code.",
   "bin": {
     "azclaude": "bin/cli.js",

package/templates/hooks/pre-tool-use.js

@@ -191,6 +191,30 @@ const RULES = [
     message: 'Prompt injection pattern detected in file being written — this content could hijack AI agent context when read. Matches known CVE-2025-54794 attack vector. Review before proceeding.',
     block:   false,
   },
+  {
+    id:      'c-gets',
+    test:    /\bgets\s*\(/,
+    message: 'gets() detected — buffer overflow vulnerability (removed from C11). Use fgets() or getline() with explicit bounds.',
+    block:   false,
+  },
+  {
+    id:      'php-shell-exec',
+    test:    /\bshell_exec\s*\(/,
+    message: 'shell_exec() detected — command injection risk. Use escapeshellarg() or avoid shell execution entirely.',
+    block:   false,
+  },
+  {
+    id:      'java-runtime-exec',
+    test:    /Runtime\.getRuntime\(\)\.exec\s*\(/,
+    message: 'Runtime.exec() detected — command injection risk. Use ProcessBuilder with a String[] argument array instead.',
+    block:   false,
+  },
+  {
+    id:      'jinja2-ssti',
+    test:    /render_template_string\s*\(/,
+    message: 'render_template_string() detected — server-side template injection risk. Use render_template() with a file-based template instead.',
+    block:   false,
+  },
   {
     id:      'subprocess-shell-true',
     test:    /subprocess\.(run|Popen|call|check_output)\s*\([^)]*shell\s*=\s*True/,

package/templates/skills/security/SKILL.md

@@ -47,13 +47,14 @@ All hooks share `/tmp/.azclaude-seclog-{PID}` (JSONL). Session summary printed a
 Warns (once per session) when Claude reads credential files:
 `.env`, `.env.*`, `secrets.json`, `secrets.yaml`, `credentials.json`, `id_rsa`, `id_ed25519`, `id_ecdsa`, `id_dsa`, `.pem`, `.p12`, `.pfx`, `.keystore`
 
-## Write Gate — 15 Rules (pre-tool-use.js)
+## Write Gate — 19 Rules (pre-tool-use.js)
 Scans all Edit/Write content before writing. Secrets → **Block** (exit 2). Others → Warn.
 
 Key patterns: `eval(`, `child_process.exec(`, `dangerouslySetInnerHTML`, `pickle.load(`,
-`os.system(`, `subprocess(..., shell=True)`, `MD5`/`SHA1`/`Math.random()`, `__proto__`,
-`yaml.load(`, `../` traversal, `ignore previous instructions`,
-AWS/GH/GL/Slack/npm/GCP/Stripe/SendGrid/PEM tokens.
+`os.system(`, `subprocess(..., shell=True)`, `gets(`, `shell_exec(`,
+`Runtime.getRuntime().exec(`, `render_template_string(`,
+`MD5`/`SHA1`/`Math.random()`, `__proto__`, `yaml.load(`, `../` traversal,
+`ignore previous instructions`, AWS/GH/GL/Slack/npm/GCP/Stripe/SendGrid/PEM tokens.
 
 For fix guidance per pattern: `references/security-details.md`
 

package/templates/skills/security/references/security-details.md

@@ -15,7 +15,7 @@ Claude plans & calls tools
 [pre-tool-use.js] — intercepts 3 tool types before execution:
   Bash  → blocks curl|bash RCE, destructive rm; warns npm install, env var echo
   Read  → warns on credential file access (.env, secrets.json, id_rsa, .pem)
-  Write → 14 code vulnerability pattern rules (see table below)
+  Write → 19 code vulnerability pattern rules (see table below)
        ↓                          ↓
 [post-tool-use.js]         /tmp/.azclaude-seclog-{PID}
   behavioral sequence             ↑ shared session event log
@@ -88,6 +88,10 @@ Scans all Edit/Write/MultiEdit operations. Warnings → stderr. Secrets → exit
 | `path-traversal` | `../` in file paths | Any | Arbitrary file read/write | Warn |
 | `prompt-injection-write` | `ignore previous instructions` / `{"role":"user","content":` | Any | AI context hijack (CVE-2025-54794) | Warn |
 | `subprocess-shell-true` | `subprocess.run(..., shell=True)` / `subprocess.Popen(..., shell=True)` | Python | Command injection via shell metacharacters | Warn |
+| `c-gets` | `gets(` | C/C++ | Buffer overflow (removed from C11) | Warn |
+| `php-shell-exec` | `shell_exec(` | PHP | Command injection | Warn |
+| `java-runtime-exec` | `Runtime.getRuntime().exec(` | Java/Kotlin | Command injection | Warn |
+| `jinja2-ssti` | `render_template_string(` | Python/Flask | Server-side template injection | Warn |
 | `hardcoded-secret` | AWS/GH/GL/Slack/npm/GCP/Stripe/SendGrid/PEM key tokens | Any | Credential exposure | **Block** |
 
 **Fix guidance per pattern:**
@@ -102,6 +106,10 @@ Scans all Edit/Write/MultiEdit operations. Warnings → stderr. Secrets → exit
 - `yaml-unsafe-load` → use `yaml.safe_load()` — always
 - `path-traversal` → use `path.resolve()` + validate result starts with allowed base dir
 - `prompt-injection-write` → review content before writing to files that will be read by AI agents; never embed instruction-like text in project files
+- `c-gets` → use `fgets(buf, sizeof(buf), stdin)` or `getline()` — always specify buffer bounds
+- `php-shell-exec` → use `escapeshellarg()` / `escapeshellcmd()`, or avoid shell calls entirely
+- `java-runtime-exec` → use `new ProcessBuilder(List.of("cmd", "arg1")).start()` with a String array
+- `jinja2-ssti` → use `render_template("file.html", ...)` with a file-based template, never render raw strings
 - `hardcoded-secret` → use environment variables (`process.env.MY_SECRET` / `os.environ['MY_SECRET']`)
 
 ---